This topic summarizes the firewall rules required for migration with vMotion, both in your on-premises and cloud data centers.

VMC on AWS Firewall Rules for vMotion

Ensure that the following firewall rule are configured in the VMC Console.

Use Cases Source Destination Service
Provide access to vCenter Server from the on premises.

Use for general vSphere Client access as well as for monitoring vCenter Server

remote (on-premises) vSphere Client IP address vCenter HTTPS
Allow outbound vCenter Server access to on-premises vCenter Server. vCenter remote (on-premises) vCenter Server IP address Any (All Traffic)
Allow SSO vCenter Server remote (on-premises) Platform Services Controller IP address vCenter SSO (TCP 7444)
ESXi NFC traffic remote (on-premises) ESXi VMkernel networks used for NFC. ESXi Provisioning (TCP 902)
Allow outbound ESXi access to on-premises . ESXi remote (on-premises) ESXi management VMkernel networks Any (All Traffic)
Allow vMotion traffic. remote (on-premises) ESXi vMotion VMkernel networks ESXi vMotion (TCP 8000)

On-Premises Firewall Rules for vMotion

Ensure that the following firewall rules are configured in your on-premises firewall.

Rule Action Source Destination Service Ports
On-premises to vCenter Server Allow remote (on-premises) vSphere Client subnet VMware Cloud on AWS vCenter Server IP address HTTPS 443
Remote to ESXi provisioning Allow remote (on-premises) subnet TCP 902 902
Cloud SDDC to on-premises vCenter ServerAllow Allow CIDR block for cloud SDDC management network On-premises vCenter Server, PSC, Active Directory subnet HTTPS 443
Cloud SDDC toESXi Remote Console Allow CIDR block for cloud SDDC management network VMware Cloud on AWS vCenter Server IP address
Cloud SDDC to Remote LDAP Allow CIDR block for cloud SDDC management network Remote LDAP Server TCP 389, 636
Cloud SDDC to ESXi vMotion Allow CIDR block for cloud SDDC management network Remote ESXi host subnet TCP 8000